[VIM] my dispute: Submit ( ToendaCMS<= ( Remote File Include Vulnerabilities )
Stuart Moore
smoore at securityglobal.net
Tue Aug 29 18:34:57 EDT 2006
VIM,
In the bugtraq message "Submit ( ToendaCMS<= ( Remote File Include
Vulnerabilities )" by "h4ck3riran at yahoo.com", the report claims several
include file issues.
One is:
> < #CodE: include($site.'.php');
>
>
> < # Expolit :
>
> < # http://Www.Site.coM/[path]/setup/index.php?site=Sh3ll
But, in '/setup/index.php' the code actually says:
> switch($site){
> case 'language':
> include($site.'.php');
> break;
>
> default:
> include('inc/'.$site.'.php');
> break;
> }
So, yes the code includes [$site].php, but only if case 'language'. In
any other situation, it includes 'inc/[$site].php'. So, no it can't be
exploited to point to a remote URL. But, interestingly, this appears as
if it can be used to traverse the directory and include other files with
a ".php" extension on the local system. This being a setup script, I
don't know if you'd leave it up on an active system.
The report also claims:
> < # CodE : require($tcms_administer_site.'/tcms_global/database.php')
>
>
> < #Expolit :
>
> < #http://Www.Site.coM/[path]/media.php?tcms_administer_site=Sh3ll
but the '/media.php' code says:
> $tcms_administer_site = 'data';
> require($tcms_administer_site.'/tcms_global/database.php');
The other claims are relate to 'tcms_administer_site' (which, for
'index.php', was debunked by Carsten Eilers on Aug 24th). I didn't
check all of these out, but if I had to guess ...
Stuart
More information about the VIM
mailing list